security - Block upload of executable images (PHP)

Question

It has come to my attention that a user has been trying to create an exploit through avatar image uploads. This was discovered when a user reported to me that they were getting a notice from their Norton Anti-virus saying "HTTP Suspicious Executable Image Download." This warning was referencing the user's avatar image. I don't think they had actually achieved anything in the way of stealing information or anything like that, but I assume it could be possible if the hole is left open long enough. I use PHP to upload the image files, and I check if the file being uploaded is a png, jpg, bmp, or gif.

This is the code that checks if it is an image:

$allow_types = array('image/jpeg', 'image/png', 'image/gif', 'image/jpg', 'image/png', 'image/bmp', 'image/bitmap');
if (in_array($this->tmp_image['type'], 
$this->allow_types)) {
   return true;
}

Answer 1

There is no way to prevent uploading of malicious files. What you need to care about instead is how you handle those files.

Suggestions such as re-saving the image file are doomed. It is possible to bypass such manipulation by ordering the bits so that they are in the order the attacker wants after a known image compressor has run.

There are so many ways to combine images and malicious files. A malicious file could be an executable, or just contain JavaScript that gets interpret by a browser. Besides, how are you supposed to re-save files that are not type of image?

When handling file uploads, one must take care of the following.

• Limit the amount of bytes to upload per user so your server won't run out of space.

• Limit the amount of files to upload per user so your server won't run out of inodes.

• Store the files above your document root so that they aren't directly accessible.

• Serve your files through a PHP-proxy script, write something like:

  $data = file_get_contents('/home/account/files/file.png');
  header('Content-Type: image/png');
  header('Content-Length: '. strlen($data));
  header('X-Content-Type-Options: nosniff');
  echo $data;
  

• Rename uploaded files to have a completely random name without an extension. If you need to store the filename (and extension/type), store the details in the database.

• If needed, serve files only when the user has a permission to have it.

• Never include/execute the files you uploaded. This means no include or require in PHP. No HTML script tags or stylesheet tags including them. No Apache Include commands including them. And so forth.

• If at all possible, serve the files from other origin. This eliminates origin issues that occur with Flash mostly. Using a different port, a domain name or an IP-address is also fine. Serving from sub-domains is dangerous and with IP-addresses the implementation gets slightly harder (i.e., you can't serve files via the domain, only via IP and you can't serve the site via IP, but via the domain).

• Beware of LFI and RFI. Rename the filenames before using the filename within functions like fopen(), read(), etc. and validate/sanitize any directory values as needed.